Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Upstream released spamassassin 3.4.2 last month including fixes for
several security issues. Unfortunately, upstream developers have
indicated that the would not recommend, nor would they support, efforts
to backport these fixes to 3.4.1. In an apparent attempt at keeping the
details of the issues private while they worked on them, they did not
indicate which bugs were fixed with specific commits, and have indicated
that the fixes have been spread across many commits, many of which may
be relative to additional changes not in 3.4.1. The specifics of the
issues, and their repros (if any) have not been made public.
After discussions with upstream and with the security team, we decided
that the best course of action would be to forgo a DSA for these issues,
but otherwise accept upstream's recommendation and update to 3.4.2 in
stretch via p-u. In addition to the security issues fixed in 3.4.2, it
also switches from sha1 to sha256 and/or sha512 for validation of rule
updates downloaded by sa-update, which is a change we'll need if we want
sa-update to keep working when they stop publishing sha1 signatures at
some point in the next several months.
I have prepared an upload for stretch that is a backport of the 3.4.2-1
package currently in testing. The changelog entries from 3.4.1-6 to
3.4.2-1~deb9u1 are below. Note that stretch currently contains
3.4.1-6+deb9u1. The changes in that version are included in the 3.4.1-7
entry in the backport.
The debdiff for the debian/ subdirectory is attached. I pruned the
upstream changes, since they result in a large diff, but can provide
them if you want.
spamassassin (3.4.2-1~deb9u1) stretch; urgency=high
* New upstream release fixes multiple security vulnerabilities
- CVE-2017-15705: Denial of service issue in which certain unclosed
tags in emails cause markup to be handled incorrectly leading to
scan timeouts. (Closes: 908969)
- CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
script.
- CVE-2018-11780: potential Remote Code Execution bug with the
PDFInfo plugin. (Closes: 908970)
- CVE-2018-11781: local user code injection in the meta rule syntax.
(Closes: 908971)
- BayesStore: bayes_expire table grows, remove_running_expire_tok not
called (Closes: 883775)
- Fix use of uninitialized variable warning in PDFInfo.pm
(Closes: 865924)
- Fix "failed to parse plugin" error in
Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
* Don't recursively chown /var/lib/spamassassin during postinst.
(Closes: 889501)
* Reload spamd after compiling rules in sa-compile.postinst.
* Update SysV init script to cope with upstream's change to $0.
* Remove compiled rules upon removal of the sa-compile package.
* Ensure that /var/lib/spamassassin/compiled doesn't change modes with
the cron job's execution. (Closes: 890650)
* Create /var/lib/spamassassin via dpkg, rather than the postinst.
(Closes: 891833)
* Add libbsd-resource-perl to Suggests (Closes: 910434)
-- Noah Meyerhans Sun, 30 Sep 2018 23:44:58 -0700
spamassassin (3.4.1-8) unstable; urgency=medium
* Fix inappropriate invocation of invoke-rc.d in cron script.
(Closes: 865514)
* Update systemd unit dependencies to include network and syslog.
(Closes: 864810)
* Migrate packaging to git, finally.
* Apply upstream patch to fix regex error leading to warnings in perl
5.26+ (Closes: 869408)
* Add Multi-Arch: foreign headers to package definitions (Closes:
#850454)
* Update standards version to 4.1.0.0
* Remove references to the obsolete syslog.target dependency in the
systemd service file.
* Clarify the use of the perl-major-upgrade dpkg trigger.
* Fix spamd service management on package upgrades. (Closes: #865356)
-- Noah Meyerhans Sat, 09 Sep 2017 22:37:20 -0700
spamassassin (3.4.1-7) unstable; urgency=medium
* Ensure that spamd doesn't automatically start upon initial
installation.
* Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as
it requires users to register. (Closes: #861671)
* Update the systemd unit file to use the same pid file as was
used in the sysvinit script. (Closes: #808804)
* Update spamassassin docs to remove outdated gpg version
compatibility note. (Closes: #853913)
-- Noah Meyerhans Thu, 11 May 2017 19:45:36 -0700
diff -Nru spamassassin-3.4.1/debian/65_debian.cf
spamassassin-3.4.2/debian/65_debian.cf
--- spamassassin-3.4.1/debian/65_debian.cf 2016-10-30 09:39:27.0
-0700
+++ spamassassin-3.4.2/debian/65_debian.cf 2018-09-30 23:44:58.0
-0700
@@ -25,3 +25,10 @@
metaD_SENT_BY_CRON __CRON_FROM && __CRON_HEADER
score D_SENT_BY_CRON -5.0
describe D_SENT_BY_CRONSent by Cron Daemon
+
+# As documented in